Fix CVE-2026-12912: heap-buffer-overflow in PixarLog ABGR decoding

Backport fix for CVE-2026-12912 to compat-libtiff3 (libtiff 3.9.4).
Two upstream commits were cherry-picked and adapted to the 3.9.4
API to fix a heap-buffer-overflow in PixarLogDecode when handling
8BITABGR data with stride 3. The first patch adds a bounds check
and fixes the output pointer advance, and the second extends the
bounds check to handle multi-row strip decoding.

CVE: CVE-2026-12912
Upstream patches:
 - ba2b04b114.patch
 - f9bda11bf2.patch
Resolves: RHEL-189375

This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.

Assisted-by: Ymir
This commit is contained in:
RHEL Packaging Agent 2026-06-27 08:18:38 +00:00
parent cf89677ea6
commit 072cfeac1c
2 changed files with 117 additions and 1 deletions

View File

@ -1,7 +1,7 @@
Summary: Compatibility package for libtiff 3
Name: compat-libtiff3
Version: 3.9.4
Release: 15%{?dist}
Release: 16%{?dist}
License: libtiff
Group: System Environment/Libraries
@ -44,6 +44,10 @@ Patch35: libtiff-3.9.4-CVE-2025-9900.patch
# from upstream, for <= 4.7.1, RHEL-159315
# https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
Patch36: libtiff-CVE-2026-4775.patch
# from upstream, RHEL-189375
# https://gitlab.com/libtiff/libtiff/-/commit/ba2b04b114c5dd945107ccc613cedfcca3af73bb
# https://gitlab.com/libtiff/libtiff/-/commit/f9bda11bf2fc819b971517582666d56f18b1bc3f
Patch37: libtiff-CVE-2026-12912.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel libjpeg-devel
@ -92,6 +96,7 @@ to use the current version of libtiff.
%patch -P 34 -p1
%patch -P 35 -p1 -b .CVE-2025-9900
%patch -P 36 -p1 -b .CVE-2026-4775
%patch -P 37 -p1 -b .CVE-2026-12912
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@ -136,6 +141,10 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/libtiffxx.so.*
%changelog
* Sat Jun 27 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 3.9.4-16
- fix CVE-2026-12912: heap-buffer-overflow in PixarLog ABGR decoding
(RHEL-189375)
* Wed Apr 22 2026 Michal Hlavinka <mhlavink@redhat.com> - 3.9.4-15
- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159315)

View File

@ -0,0 +1,107 @@
From 3bddf1548c274f4efaf113af871d87688dd605ab Mon Sep 17 00:00:00 2001
From: waugustus <wangdw.augustus@qq.com>
Date: Thu, 23 Apr 2026 17:05:53 +0800
Subject: [PATCH 1/2] pixarlog: fix heap-buffer-overflow in 8BITABGR decode
with stride 3 (#824)
---
libtiff/tif_pixarlog.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index a4c932cb..447244d3 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -746,6 +746,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
llen = sp->stride * td->td_imagewidth;
+ /* Fix: ABGR with stride=3 expands 3 samples to 4 output bytes per pixel */
+ if (sp->user_datafmt == PIXARLOGDATAFMT_8BITABGR && sp->stride == 3)
+ {
+ tsize_t required = (tsize_t)td->td_imagewidth * 4;
+ if (occ < required)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Output buffer too small for PixarLog ABGR data");
+ memset(op, 0, (size_t)occ);
+ return (0);
+ }
+ }
+
(void) s;
assert(sp != NULL);
sp->stream.next_out = (unsigned char *) sp->tbuf;
@@ -825,7 +838,10 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
case PIXARLOGDATAFMT_8BITABGR:
horizontalAccumulate8abgr(up, llen, sp->stride,
(unsigned char *)op, sp->ToLinear8);
- op += llen * sizeof(unsigned char);
+ if (sp->stride == 3)
+ op += td->td_imagewidth * 4;
+ else
+ op += llen * sizeof(unsigned char);
break;
default:
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
--
2.52.0
From c29a602200eb255f69587a35ef0c5a9f68c0ad8e Mon Sep 17 00:00:00 2001
From: waugustus <wangdw.augustus@qq.com>
Date: Thu, 7 May 2026 12:48:42 +0800
Subject: [PATCH 2/2] pixarlog: complete ABGR bounds check for multi-row strip
decoding
---
libtiff/tif_pixarlog.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index 447244d3..993e1f33 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -750,6 +750,12 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
if (sp->user_datafmt == PIXARLOGDATAFMT_8BITABGR && sp->stride == 3)
{
tsize_t required = (tsize_t)td->td_imagewidth * 4;
+ tsize_t max_rows;
+ tsize_t max_nsamples;
+
+ /*
+ * Ensure at least one expanded output row fits.
+ */
if (occ < required)
{
TIFFErrorExt(tif->tif_clientdata, module,
@@ -757,6 +763,26 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
memset(op, 0, (size_t)occ);
return (0);
}
+
+ /*
+ * PixarLogDecode() may process multiple rows per call
+ * (e.g. strip decoding). Limit nsamples so the total
+ * output written by the loop below never exceeds occ.
+ */
+ max_rows = occ / required;
+ max_nsamples = max_rows * llen;
+
+ /*
+ * Truncate excess rows to preserve as much decoded data
+ * as possible while avoiding output buffer overflow.
+ */
+ if (nsamples > max_nsamples)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "PixarLog ABGR decode truncated to avoid "
+ "output buffer overflow");
+ nsamples = max_nsamples;
+ }
}
(void) s;
--
2.52.0